Bugfix: Propagate remapping impersonation in automatic interrogate (V…

…elocidex#3641)
Genio40921 · Jul 24, 2024 · b88c17d · b88c17d
1 parent 394fb5b
commit b88c17d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 11 deletions.
diff --git a/actions/client_info.go b/actions/client_info.go
@@ -20,17 +20,6 @@ func GetClientInfo(
 	config_obj *config_proto.Config) *actions_proto.ClientInfo {
 	result := &actions_proto.ClientInfo{}
 
-	info, err := psutils.InfoWithContext(ctx)
-	if err == nil {
-		result = &actions_proto.ClientInfo{
-			Hostname:     info.Hostname,
-			System:       info.OS,
-			Release:      info.Platform + info.PlatformVersion,
-			Architecture: runtime.GOARCH,
-			Fqdn:         fqdn.Get(),
-		}
-	}
-
 	if config_obj.Version != nil {
 		result.ClientName = config_obj.Version.Name
 		result.ClientVersion = config_obj.Version.Version
@@ -39,6 +28,24 @@ func GetClientInfo(
 		result.InstallTime = config_obj.Version.InstallTime
 	}
 
+	for _, remapping := range config_obj.Remappings {
+		if remapping.Type == "impersonation" {
+			result.Hostname = remapping.Hostname
+			result.Fqdn = remapping.Hostname
+			result.System = remapping.Os
+			return result
+		}
+	}
+
+	info, err := psutils.InfoWithContext(ctx)
+	if err == nil {
+		result.Hostname = info.Hostname
+		result.System = info.OS
+		result.Release = info.Platform + info.PlatformVersion
+		result.Architecture = runtime.GOARCH
+		result.Fqdn = fqdn.Get()
+	}
+
 	if config_obj.Client != nil {
 		result.Labels = config_obj.Client.Labels
 	}

diff --git a/vql/remapping/install.go b/vql/remapping/install.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"runtime"
 
 	"github.com/Velocidex/ordereddict"
 
@@ -219,6 +220,7 @@ func ApplyRemappingOnScope(
 						Set("VirtualizationRole", "").
 						Set("HostID", "").
 						Set("Exe", "").
+						Set("Architecture", runtime.GOARCH).
 						Set("IsAdmin", true),
 				}))
 			disablePlugins(remapped_scope, remapping)